[webauthn] Clarification of valid prIdHash value requested in section 7 when using AppID extension from Shane Weeden via GitHub on 2018-07-02 (public-webauthn@w3.org from July 2018)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Jul 2018 23:06:04 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-337692022-1530572763-sysbot+gh@w3.org>

sbweeden has just created a new issue for https://github.com/w3c/webauthn:

== Clarification of valid prIdHash value requested in section 7 when using AppID extension ==
There are a couple of usability issues with following the RP operations guidance in section 7.2 for verifying an authentication assertion when using the AppID extension.

Even though I can validly send just the web server's hostname as the RP-ID in the call to navigator.credentials.get, if I include the AppID extension, the rpIdHash returned in aData (see step 11 of section 7.2) is the hash of the U2F APPID. 

What adds to this confusion is that verification of client extension outputs (where you can detect if "appid": true is returned) is not mentioned until step 14 of section 7.2. In fact in order to validate the rpIdHash in step 11 you must FIRST figure out if appid was used.

My suggestion is to add clarification to step 11 indicating that appid in the client extension outputs may need to be checked first to ensure the correct rpIdHash is compared.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/980 using your GitHub account

Received on Monday, 2 July 2018 23:06:07 UTC